diff --git a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml index 3815f2af27..2801354c2c 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml +++ b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml @@ -146,8 +146,6 @@ href: applocker\deploy-applocker-policies-by-using-the-enforce-rules-setting.md - name: Use the AppLocker Windows PowerShell cmdlets href: applocker\use-the-applocker-windows-powershell-cmdlets.md - - name: Use AppLocker and Software Restriction Policies in the same domain - href: applocker\use-applocker-and-software-restriction-policies-in-the-same-domain.md - name: Optimize AppLocker performance href: applocker\optimize-applocker-performance.md - name: Monitor app usage with AppLocker @@ -243,8 +241,6 @@ href: applocker\understand-the-applocker-policy-deployment-process.md - name: Requirements for Deploying AppLocker Policies href: applocker\requirements-for-deploying-applocker-policies.md - - name: Use Software Restriction Policies and AppLocker policies - href: applocker\using-software-restriction-policies-and-applocker-policies.md - name: Create Your AppLocker policies href: applocker\create-your-applocker-policies.md items: diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md index 4a3fe25421..e237fc6361 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md @@ -1,21 +1,18 @@ --- title: Deploy AppLocker policies by using the enforce rules setting -description: This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. +description: This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/19/2023 --- # Deploy AppLocker policies by using the enforce rules setting ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. +This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. ## Background and prerequisites -These procedures assume that you have already deployed AppLocker policies with the enforcement set to **Audit only**, and you have been collecting data through the AppLocker event logs and other channels to determine what effect these policies have on your environment and the policy's adherence to your application control design. +These procedures assume that your AppLocker policies are deployed with the enforcement mode set to **Audit only**, and you have been collecting data through the AppLocker event logs and other channels to determine what effect these policies have on your environment and the policy's adherence to your application control design. For info about the AppLocker policy enforcement setting, see [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md). @@ -23,18 +20,18 @@ For info about how to plan an AppLocker policy deployment, see [AppLocker Design ## Step 1: Retrieve the AppLocker policy -Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Using Group Policy, you can export the policy from the Group Policy Object (GPO) and then update the rule or rules by using AppLocker on your AppLocker reference or test PC. For the procedure to do these tasks, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). For local AppLocker policies, you can update the rule or rules by using the Local Security policy snap-in (secpol.msc) on your AppLocker reference or test PC. For the procedures to do this task, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). +Updating an AppLocker policy that is currently enforced in your production environment can cause unintended results. Using Group Policy, you can export the policy from the Group Policy Object (GPO) and then update the rule or rules by using AppLocker on a reference or test PC. For the procedure to do these tasks, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). For local AppLocker policies, you can update the rule or rules by using the Local Security policy snap-in (secpol.msc) on your AppLocker reference or test PC. For the procedures to do this task, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). ## Step 2: Alter the enforcement setting -Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. By default, if enforcement isn't configured and rules are present in a rule collection, those rules are enforced. For information about the enforcement setting, see [Understand AppLocker Enforcement Settings](understand-applocker-enforcement-settings.md). For the procedure to alter the enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). +Rule enforcement is applied to all rules within a rule collection, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. For information about the enforcement mode setting, see [Understand AppLocker Enforcement Settings](understand-applocker-enforcement-settings.md). For the procedure to alter the enforcement mode setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). ## Step 3: Update the policy You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the AppLocker policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) feature from the Microsoft Desktop Optimization Pack. > [!CAUTION] -> You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. +> You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can cause unexpected behavior. For the procedure to update the GPO, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). @@ -46,4 +43,4 @@ When a policy is deployed, it's important to monitor the actual implementation o ## Other resources -- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). +- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md index 01166c2ac5..ed64315838 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md @@ -1,32 +1,30 @@ --- title: Edit an AppLocker policy -description: This topic for IT professionals describes the steps required to modify an AppLocker policy. +description: This article for IT professionals describes the steps required to modify an AppLocker policy. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/19/2023 --- # Edit an AppLocker policy ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for IT professionals describes the steps required to modify an AppLocker policy. -This topic for IT professionals describes the steps required to modify an AppLocker policy. - -You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't create a new version of the policy by importing more rules. To modify an AppLocker policy that is in production, you should use Group Policy management software that allows you to version Group Policy Objects (GPOs). If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You can't automatically merge policies by using the AppLocker snap-in. You must create one rule collection from two or more policies. The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. For info about merging policies, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) or [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). +You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't create a new version of the policy by importing more rules. To modify an AppLocker policy that is in production, you should use Group Policy management software that allows you to version Group Policy Objects (GPOs). If you want to merge multiple AppLocker policies into a single one, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You can't automatically merge policies by using the AppLocker snap-in. You must create one rule collection from two or more policies. The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. For info about merging policies, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) or [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). There are three methods you can use to edit an AppLocker policy: -- [Editing an AppLocker policy by using Mobile Device Management (MDM)](#bkmk-editapppolinmdm) -- [Editing an AppLocker policy by using Group Policy](#bkmk-editapppolingpo) -- [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo) +- [Editing an AppLocker policy by using Mobile Device Management (MDM)](#editing-an-applocker-policy-by-using-mobile-device-management-mdm) +- [Editing an AppLocker policy by using Group Policy](#editing-an-applocker-policy-by-using-group-policy) +- [Editing an AppLocker policy by using the Local Security Policy snap-in](#editing-an-applocker-policy-by-using-the-local-security-policy-snap-in) -## Editing an AppLocker policy by using Mobile Device Management (MDM) -If you deployed the AppLocker policy using the AppLocker configuration service provider, you can edit the policies in your MDM solution by altering the content in the string value of the policy node. +## Editing an AppLocker policy by using Mobile Device Management (MDM) + +To edit an AppLocker policy deployed using the AppLocker configuration service provider (CSP), update the content in the string value of the CSP's policy node. For more information, see the [AppLocker CSP](/windows/client-management/mdm/applocker-csp). -## Editing an AppLocker policy by using Group Policy +## Editing an AppLocker policy by using Group Policy The steps to edit an AppLocker policy distributed by Group Policy include: @@ -38,33 +36,34 @@ AppLocker provides a feature to export and import AppLocker policies as an XML f After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For information on the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). ->**Caution:** Importing a policy onto another PC will overwrite the existing policy on that PC. - +> [!IMPORTANT] +> Importing a policy onto another PC will overwrite the existing policy on that PC. + ### Step 3: Use AppLocker to modify and test the rule AppLocker provides ways to modify, delete, or add rules to a policy by modifying the rules within the collection. -- For information on the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md). -- For information on the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md). -- For procedures to create rules, see: - - - [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) - - [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) - - [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) - - [Enable the DLL rule collection](enable-the-dll-rule-collection.md) - -- For information on the steps to test an AppLocker policy, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md). -- For procedures to export the updated policy from the reference computer back into the GPO, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). +- For information on the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md). +- For information on the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md). +- For procedures to create rules, see: + - [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) + - [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) + - [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) + - [Enable the DLL rule collection](enable-the-dll-rule-collection.md) +- For information on the steps to test an AppLocker policy, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md). +- For procedures to export the updated policy from the reference computer back into the GPO, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). ### Step 4: Use AppLocker and Group Policy to import the AppLocker policy back into the GPO For procedures to export the updated policy from the reference computer back into the GPO, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). ->**Caution:** You should never edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed run, making changes to a live policy can create unexpected behavior. For info about testing policies, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md). - ->**Note:** If you are performing these steps by using Microsoft Advanced Group Policy Management (AGPM), check out the GPO before exporting the policy. - -## Editing an AppLocker policy by using the Local Security Policy snap-in +> [!IMPORTANT] +> You should avoid editing an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can cause unexpected behavior. For info about testing policies, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md). + +> [!NOTE] +> If you are performing these steps by using Microsoft Advanced Group Policy Management (AGPM), check out the GPO before exporting the policy. + +## Editing an AppLocker policy by using the Local Security Policy snap-in The steps to edit an AppLocker policy distributed by using the Local Security Policy snap-in (secpol.msc) include the following tasks. @@ -74,20 +73,20 @@ On the PC where you maintain policies, open the AppLocker snap-in from the Local After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For information on the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). ->**Caution:** Importing a policy onto another PC will overwrite the existing policy on that PC. - +> [!IMPORTANT] +> Importing a policy onto another PC will overwrite the existing policy on that PC. + ### Step 2: Identify and modify the rule to change, delete, or add AppLocker provides ways to modify, delete, or add rules to a policy by modifying the rules within the collection. -- For information on the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md). -- For information on the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md). -- For procedures to create rules, see: - - - [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) - - [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) - - [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) - - [Enable the DLL rule collection](enable-the-dll-rule-collection.md) +- For information on the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md). +- For information on the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md). +- For procedures to create rules, see: + - [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) + - [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) + - [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) + - [Enable the DLL rule collection](enable-the-dll-rule-collection.md) ### Step 3: Test the effect of the policy @@ -99,4 +98,4 @@ For procedures to export the updated policy from the reference computer to targe ## Other resources -- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). +- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md index 1a9f1401e7..933deb03c0 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md @@ -3,48 +3,46 @@ title: Maintain AppLocker policies description: Learn how to maintain rules within AppLocker policies. View common AppLocker maintenance scenarios and see the methods to use to maintain AppLocker policies. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 12/31/2017 +ms.date: 12/19/2023 --- # Maintain AppLocker policies ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic describes how to maintain rules within AppLocker policies. +This article describes how to maintain rules within AppLocker policies. Common AppLocker maintenance scenarios include: -- A new app is deployed, and you need to update an AppLocker policy. -- A new version of an app is deployed, and you need to either update an AppLocker policy or create a new rule to update the policy. -- An app is no longer supported by your organization, so you need to prevent it from being used. -- An app appears to be blocked but should be allowed. -- An app appears to be allowed but should be blocked. -- A single user or small subset of users needs to use a specific app that is blocked. +- A new app is deployed, and you need to update an AppLocker policy. +- A new version of an app is deployed, and you need to either update an AppLocker policy or create a new rule to update the policy. +- An app is no longer supported by your organization, so you need to prevent it from being used. +- An app appears to be blocked but should be allowed. +- An app appears to be allowed but should be blocked. +- A single user or small subset of users needs to use a specific app that is blocked. There are three methods you can use to maintain AppLocker policies: -- [Maintaining AppLocker policies by using Mobile Device Management (MDM)](#bkmk-applkr-use-mdm) -- [Maintaining AppLocker policies by using Group Policy](#bkmk-applkr-use-gp) -- [Maintaining AppLocker policies on the local computer](#bkmk-applkr-use-locsnapin) +- [Maintaining AppLocker policies by using Mobile Device Management (MDM)](#maintaining-applocker-policies-by-using-mobile-device-management-mdm) +- [Maintaining AppLocker policies by using Group Policy](#maintaining-applocker-policies-by-using-group-policy) +- [Maintaining AppLocker policies on the local computer](#maintaining-applocker-policies-by-using-the-local-security-policy-snap-in) + +## Maintaining AppLocker policies by using Mobile Device Management (MDM) -## Maintaining AppLocker policies by using Mobile Device Management (MDM) Using the AppLocker configuration service provider, you can select which apps are allowed or blocked from running. Using the CSP, you can configure app restrictions based on grouping (such as EXE, MSI, DLL, Store apps and more) and then chose how to enforce different policies for different apps. For more information, see the [AppLocker CSP](/windows/client-management/mdm/applocker-csp). -## Maintaining AppLocker policies by using Group Policy +## Maintaining AppLocker policies by using Group Policy For every scenario, the steps to maintain an AppLocker policy distributed by Group Policy include the following tasks. -As new apps are deployed or existing apps are removed by your organization or updated by the software publisher, you might need to make revisions to your rules and update the Group Policy Object (GPO) to ensure that your policy is current. +As new apps are deployed, and existing apps are updated or retired, you might need to update the rules in the Group Policy Object (GPO) to keep your policy current. -You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the AppLocker policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create -versions of GPOs. +You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the AppLocker policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. ->**Caution:** You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. +> [!IMPORTANT] +> You should avoid editing an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can cause unexpected behavior. -### Step 1: Understand the current behavior of the policy +### Step 1: Understand the current behavior of the policy from the GPO Before modifying a policy, evaluate how the policy is currently implemented. For example, if a new version of the application is deployed, you can use **Test-AppLockerPolicy** to verify the effectiveness of your current policy for that app. @@ -54,14 +52,14 @@ Updating an AppLocker policy that is currently enforced in your production envir ### Step 3: Update the AppLocker policy by editing the appropriate AppLocker rule -After the AppLocker policy has been exported from the GPO into the AppLocker reference or test computer, or has been accessed on the local computer, the specific rules can be modified as required. +After you export the AppLocker policy from the GPO into the AppLocker reference or test computer, or access the policy on the local computer, the rules can be modified as required. To modify AppLocker rules, see the following articles: -- [Edit AppLocker rules](edit-applocker-rules.md) -- [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md) or [Merge AppLocker policies manually](merge-applocker-policies-manually.md) -- [Delete an AppLocker rule](delete-an-applocker-rule.md) -- [Enforce AppLocker rules](enforce-applocker-rules.md) +- [Edit AppLocker rules](edit-applocker-rules.md) +- [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md) or [Merge AppLocker policies manually](merge-applocker-policies-manually.md) +- [Delete an AppLocker rule](delete-an-applocker-rule.md) +- [Enforce AppLocker rules](enforce-applocker-rules.md) ### Step 4: Test the AppLocker policy @@ -72,9 +70,11 @@ You should test each collection of rules to ensure that the rules perform as int After testing, import the AppLocker policy back into the GPO for implementation. To update the GPO with a modified AppLocker policy, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). ### Step 6: Monitor the resulting policy behavior + After deploying a policy, evaluate the policy's effectiveness. -## Maintaining AppLocker policies by using the Local Security Policy snap-in +## Maintaining AppLocker policies by using the Local Security Policy snap-in + For every scenario, the steps to maintain an AppLocker policy by using the Local Group Policy Editor or the Local Security Policy snap-in include the following tasks. ### Step 1: Understand the current behavior of the policy @@ -85,7 +85,7 @@ Before modifying a policy, evaluate how the policy is currently implemented. Rules are grouped into a collection, which can have the policy enforcement setting applied to it. By default, AppLocker rules don't allow users to open or run any files that aren't allowed. -To modify AppLocker rules, see the appropriate topic listed on [Administer AppLocker](administer-applocker.md). +To modify AppLocker rules, see the appropriate article listed on [Administer AppLocker](administer-applocker.md). ### Step 3: Test the AppLocker policy @@ -101,4 +101,4 @@ After deploying a policy, evaluate the policy's effectiveness. ## Other resources -- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). +- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md index c251209071..984bdf95d2 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md @@ -1,86 +1,82 @@ --- title: Monitor app usage with AppLocker -description: This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. +description: This article for IT professionals describes how to monitor app usage when AppLocker policies are applied. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/19/2023 --- # Monitor app usage with AppLocker ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for IT professionals describes how to monitor app usage when AppLocker policies are applied. -This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. +After you deploy AppLocker policies, monitor its effect on devices to ensure the results are what you expected. -Once you set rules and deploy the AppLocker policies, it's a good practice to determine if the policy implementation is what you expected. +## Discover the effect of an AppLocker policy -### Discover the effect of an AppLocker policy +You can evaluate how the AppLocker policy is currently implemented for documentation or audit purposes, or before you modify the policy. Updating your AppLocker Policy Deployment Planning document helps you track your findings. You can perform one or more of the following steps to understand what application controls are currently enforced through AppLocker rules. -You can evaluate how the AppLocker policy is currently implemented for documentation or audit purposes, or before you modify the policy. Updating your AppLocker Policy Deployment Planning document will help you track your findings. You can perform one or more of the following steps to understand what application controls are currently enforced through AppLocker rules. +- **Analyze the AppLocker logs in Event Viewer** -- **Analyze the AppLocker logs in Event Viewer** + When AppLocker policy enforcement is set to **Enforce rules**, any files that aren't allowed by your policy are blocked. In that case, an event is raised in the AppLocker event log for the rule collection. When AppLocker policy enforcement is set to **Audit only**, rules aren't enforced but are still evaluated to generate audit event data that is written to the AppLocker logs. - When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules aren't enforced but are still evaluated to generate audit event data that is written to the AppLocker logs. + For more information on the procedure to access the log, see [View the AppLocker Log in Event Viewer](#view-the-applocker-log-in-event-viewer). - For more information on the procedure to access the log, see [View the AppLocker Log in Event Viewer](#bkmk-applkr-view-log). - -- **Enable the Audit only AppLocker enforcement setting** +- **Enable the Audit only AppLocker enforcement setting** By using the **Audit only** enforcement setting, you can ensure that the AppLocker rules are properly configured for your organization. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log. For more information on the procedure to do this configuration, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). -- **Review AppLocker events with Get-AppLockerFileInformation** +- **Review AppLocker events with Get-AppLockerFileInformation** - For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if you're using the audit-only enforcement mode) and how many times the event has occurred for each file. + For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files were blocked or would be blocked (if you're using the audit-only enforcement mode) and how many times the block event occurred for each file. - For more information on the procedure to do this verification, see [Review AppLocker Events with Get-AppLockerFileInformation](#bkmk-applkr-review-events). + For more information on the procedure to do this verification, see [Review AppLocker Events with Get-AppLockerFileInformation](#review-applocker-events-with-get-applockerfileinformation). -- **Review AppLocker events with Test-AppLockerPolicy** +- **Review AppLocker events with Test-AppLockerPolicy** - You can use the **Test-AppLockerPolicy** Windows PowerShell cmdlet to determine whether any of the rules in your rule collections will be blocked on your reference device or the device on which you maintain policies. + You can use the **Test-AppLockerPolicy** Windows PowerShell cmdlet to determine whether any of the rules in your rule collections affect files run on your reference device or the device on which you maintain policies. For more information on the procedure to do this testing, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). -### Review AppLocker events with Get-AppLockerFileInformation +## Review AppLocker events with Get-AppLockerFileInformation -For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if the **Audit only** enforcement setting is applied) and how many times the event has occurred for each file. +For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files were blocked or would be blocked (if the **Audit only** enforcement setting is applied) and how many times the block event occurred for each file. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. > [!NOTE] > If the AppLocker logs are not on your local device, you will need permission to view the logs. If the output is saved to a file, you will need permission to read that file. - -**To review AppLocker events with Get-AppLockerFileInformation** -1. At the command prompt, type **PowerShell**, and then press ENTER. -2. Run the following command to review how many times a file would have been blocked from running if rules were enforced: +### To review AppLocker events with Get-AppLockerFileInformation + +1. At the command prompt, type **PowerShell**, and then select ENTER. +2. Run the following command to review how many times your AppLocker policy didn't allow a file: ```powershell Get-AppLockerFileInformation -EventLog -EventType Audited -Statistics ``` -3. Run the following command to review how many times a file has been allowed to run or prevented from running: +3. Run the following command to review how many times a file was allowed to run or prevented from running: ```powershell Get-AppLockerFileInformation -EventLog -EventType Allowed -Statistics ``` -### View the AppLocker Log in Event Viewer +## View the AppLocker Log in Event Viewer -When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log. +When AppLocker policy enforcement is set to **Enforce rules**, any files that aren't allowed by your policy are blocked. In that case, an event is raised in the AppLocker event log for the rule collection. When AppLocker policy enforcement is set to **Audit only**, rules aren't enforced but are still evaluated to generate audit event data that is written to the AppLocker logs. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. -**To view events in the AppLocker log by using Event Viewer** +### To view events in the AppLocker log by using Event Viewer -1. To open Event Viewer, go to the **Start** menu, type **eventvwr.msc**, and then select ENTER. -2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, double-click **AppLocker**. +1. To open Event Viewer, go to the **Start** menu, type **eventvwr.msc**, and then select ENTER. +2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, double-click **AppLocker**. -AppLocker events are listed in either the **EXE and DLL** log, the **MSI and Script** log, or the **Packaged app-Deployment** or **Packaged app-Execution** log. Event information includes the enforcement setting, file name, date and time, and user name. The logs can be exported to other file -formats for further analysis. +AppLocker events are listed in either the **EXE and DLL** log, the **MSI and Script** log, or the **Packaged app-Deployment** or **Packaged app-Execution** log. Event information includes the enforcement setting, file name, date and time, and user name. The logs can be exported to other file formats for further analysis. -## Related topics +## Related articles - [AppLocker](applocker-overview.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md index 8646482c66..6523b1bccc 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md @@ -1,28 +1,24 @@ --- title: Optimize AppLocker performance -description: This topic for IT professionals describes how to optimize AppLocker policy enforcement. +description: This article for IT professionals describes how to optimize AppLocker policy enforcement. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/19/2023 --- # Optimize AppLocker performance ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic for IT professionals describes how to optimize AppLocker policy enforcement. +This article for IT professionals describes how to optimize AppLocker policy enforcement. ## Optimization of Group Policy -AppLocker policies can be implemented by organization unit (OU) using Group Policy. If so, your Group Policy infrastructure should be optimized and retested for performance when AppLocker policies are added to existing Group Policy Objects (GPOs) or new GPOs are created, as you do with adding any policies to your GPOs. +You can implement AppLocker policies by organization unit (OU) using Group Policy. When adding policies to Group Policy Objects (GPO), including AppLocker policies, you should retest and optimize for performance if needed. For more info, see the [Optimizing Group Policy Performance](/previous-versions/technet-magazine/cc137720(v=msdn.10)) article in TechNet Magazine. ### AppLocker rule limitations -The more rules per GPO, the longer AppLocker requires for evaluation. There is no set limitation on the number of rules per GPO, but the number of rules that can fit into a 100 MB GPO varies based on the complexity of the rule, such as the number of file hashes included in a single file hash -condition. +The more rules per GPO, the longer AppLocker requires for evaluation. Although there's no set limitation on the number of AppLocker rules per GPO, the size of your GPOs can vary based on the types of rules you create. For example, a policy consisting mainly of file hash rules requires many more rules than ones that use signature-based rules where possible. ### Using the DLL rule collection diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md index de4fc78024..33b57f4bc0 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md @@ -1,52 +1,50 @@ --- title: Test and update an AppLocker policy -description: This topic discusses the steps required to test an AppLocker policy prior to deployment. +description: This article discusses the steps required to test an AppLocker policy prior to deployment. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/19/2023 --- # Test and update an AppLocker policy ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article discusses the steps required to test an AppLocker policy prior to deployment. -This topic discusses the steps required to test an AppLocker policy prior to deployment. - -You should test each set of rules to ensure that the rules perform as intended. If you use Group Policy to manage AppLocker policies, complete the following steps for each Group Policy Object (GPO) where you have created AppLocker rules. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules for simultaneous testing in all of your test GPOs. +You should test each set of rules to ensure that the rules perform as intended. If you use Group Policy to manage AppLocker policies, complete the following steps for each Group Policy Object (GPO) containing AppLocker rules. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules for simultaneous testing in all of your test GPOs. ## Step 1: Enable the Audit only enforcement setting -By using the **Audit only** enforcement setting, you can ensure that the AppLocker rules that you have created are properly configured for your organization. This setting can be enabled on the **Enforcement** tab of the **AppLocker Properties** dialog box. For information on the procedure to do this configuration, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). +Use the **Audit only** enforcement mode setting to verify your AppLocker rules are properly configured for your organization without blocking any code. This setting can be enabled on the **Enforcement** tab of the **AppLocker Properties** dialog box. For information on the procedure to do this configuration, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). ## Step 2: Configure the Application Identity service to start automatically -Because AppLocker uses the Application Identity service to verify the attributes of a file, you must configure it to start automatically in any one GPO that applies AppLocker rules. For information on the procedure to do this configuration, see [Configure the Application Identity Service](configure-the-application-identity-service.md). For AppLocker policies that aren't managed by a GPO, you must ensure that the service is running on each PC in order for the policies to be applied. +Because AppLocker uses the Application Identity service to verify the attributes of a file, you must configure it to start automatically in any one GPO that applies AppLocker rules. For more information, see [Configure the Application Identity Service](configure-the-application-identity-service.md). If you don't deploy your AppLocker policies using a GPO, you must ensure that the service is running on each PC in order for the policies to apply. ## Step 3: Test the policy -Test the AppLocker policy to determine if your rule collection needs to be modified. Because you have created AppLocker rules, enabled the Application Identity service, and enabled the **Audit only** enforcement setting, the AppLocker policy should be present on all client PCs that are configured to receive your AppLocker policy. +Test the AppLocker policy to determine if your rule collection needs to be modified. Your AppLocker policy should be active in audit mode only on all client PCs configured to receive your AppLocker policy. -The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference PCs. For information on the procedure to do this testing, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). +The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the code run on your reference PCs is blocked by the rules in your rule collection. For information on the procedure to do this testing, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). ## Step 4: Analyze AppLocker events + You can either manually analyze AppLocker events or use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to automate the analysis. -**To manually analyze AppLocker events** +### To manually analyze AppLocker events -You can view the events either in Event Viewer or a text editor and then sort those events to perform an analysis, such as looking for patterns in application usage events, access frequencies, or access by user groups. If you haven't configured an event subscription, then you'll have to review the logs on a sampling of computers in your organization. For more information about using Event Viewer, see [Monitor application usage with AppLocker](monitor-application-usage-with-applocker.md). +Use Event Viewer or a text editor to view and sort your AppLocker events for analysis. You might look for patterns in application usage events, access frequencies, or access by user groups. If you don't have an event subscription configured, you can review the logs on a sampling of computers in your organization. For more information about using Event Viewer, see [Monitor application usage with AppLocker](monitor-application-usage-with-applocker.md). -**To analyze AppLocker events by using Get-AppLockerFileInformation** +### To analyze AppLocker events by using Get-AppLockerFileInformation You can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to analyze AppLocker events from a remote computer. If an app is being blocked and should be allowed, you can use the AppLocker cmdlets to help troubleshoot the problem. -For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** cmdlet to determine which files have been blocked or would have been blocked (if you're using the **Audit only** enforcement mode) and how many times the event has occurred for each file. For information on the procedure to do this monitoring, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md). +For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** cmdlet to determine which files weren't allowed by your policy and how many times the event occurred for each file. For information on the procedure to do this monitoring, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md). -After using **Get-AppLockerFileInformation** to determine how many times that a file would have been blocked from running, you should review your rule list to determine whether a new rule should be created for the blocked file or whether an existing rule is too strictly defined. Ensure that you check which GPO is currently preventing the file from running. To determine this blocker GPO, you can use the Group Policy Results Wizard to view rule names. +Next, you should review your rule list to determine whether a new rule should be created for the blocked file or whether an existing rule is too strictly defined. Ensure that you check which GPO is currently preventing the file from running. To determine this blocker GPO, you can use the Group Policy Results Wizard to view rule names. ## Step 5: Modify the AppLocker policy -After you've identified which rules need to be edited or added to the policy, you can use the Group Policy Management Console to modify the AppLocker rules in the relevant GPOs. For AppLocker policies that aren't managed by a GPO, you can use the Local Security Policy snap-in (secpol.msc). For info how to modify an AppLocker policy, see, [Edit an AppLocker policy](edit-an-applocker-policy.md). +Once you know what rules you want to edit or add to the policy, use the Group Policy Management Console to modify the AppLocker rules in the relevant GPOs. If you don't manage your AppLocker policies by a GPO, you can use the Local Security Policy snap-in (secpol.msc). For info how to modify an AppLocker policy, see, [Edit an AppLocker policy](edit-an-applocker-policy.md). ## Step 6: Repeat policy testing, analysis, and policy modification @@ -54,4 +52,4 @@ Repeat the previous steps 3-5 until all the rules perform as intended before app ## Other resources -- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). +- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md deleted file mode 100644 index a8a22bcdb4..0000000000 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: Use AppLocker and Software Restriction Policies in the same domain -description: This article for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. -ms.localizationpriority: medium -ms.topic: conceptual -ms.date: 11/07/2022 ---- - -# Use AppLocker and Software Restriction Policies in the same domain - -This article for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. - -> [!IMPORTANT] -> Software Restriction Policies were deprecated beginning with Windows 10 build 1803 and above, and also applies to Windows Server 2019 and above. You should use Windows Defender Application Control (WDAC) or AppLocker to control what software runs. - -## Using AppLocker and Software Restriction Policies in the same domain - -AppLocker is supported on systems running Windows 8.1. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running Windows Server 2008 R2, Windows 7 and later. It's recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, Windows 7 and later, the SRP policies are ignored. - -The following table compares the features and functions of Software Restriction Policies (SRP) and AppLocker. - -|Application control function|SRP|AppLocker| -|--- |--- |--- | -|Scope|SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.|AppLocker policies apply only to Windows Server 2008 R2, Windows 7, and later.| -|Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.

AppLocker permits customization of error messages to direct users to a Web page for help.| -|Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.| -|Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.| -|Enforcement mode|SRP works in the "blocklist mode" where administrators can create rules for files that they don't want to allow in this Enterprise whereas the rest of the file is allowed to run by default.

SRP can also be configured in the "allowlist mode" so that by default all files are blocked. In "allowlist mode", administrators need to create allow rules for files that they want to run.|AppLocker by default works in the "allowlist mode" where only those files are allowed to run for which there's a matching allow rule.| -|File types that can be controlled|SRP can control the following file types:
  • Executables
  • Dlls
  • Scripts
  • Windows Installers

    SRP can't control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:
  • Executables
  • Dlls
  • Scripts
  • Windows Installers
  • Packaged apps and installers

    AppLocker maintains a separate rule collection for each of the five file types.| -|Designated file types|SRP supports an extensible list of file types that are considered executable. Administrators can add extensions for files that should be considered executable.|AppLocker currently supports the following file extensions:
  • Executables (.exe, .com)
  • Dlls (.ocx, .dll)
  • Scripts (.vbs, .js, .ps1, .cmd, .bat)
  • Windows Installers (.msi, .mst, .msp)
  • Packaged app installers (.appx)| -|Rule types|SRP supports four types of rules:
  • Hash
  • Path
  • Signature
  • Internet zone|AppLocker supports three types of rules:
  • File hash
  • Path
  • Publisher| -|Editing the hash value|In Windows XP, you could use SRP to provide custom hash values.

    Beginning with Windows 7 and Windows Server 2008 R2, you can only select the file to hash, and not provide the hash value.|AppLocker computes the hash value itself. Internally, it uses the SHA2 Authenticode hash for Portable Executables (exe and dll) and Windows Installers and an SHA2 flat file hash for the rest.| -|Support for different security levels|With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.

    SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker doesn't support security levels.| -|Manage Packaged apps and Packaged app installers.|Not supported|.appx is a valid file type which AppLocker can manage.| -|Targeting a rule to a user or a group of users|SRP rules apply to all users on a particular computer.|AppLocker rules can be targeted to a specific user or a group of users.| -|Support for rule exceptions|SRP doesn't support rule exceptions.|AppLocker rules can have exceptions, which allow you to create rules such as "Allow everything from Windows except for regedit.exe".| -|Support for audit mode|SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode, which allows you to test the effect of their policy in the real production environment without impacting the user experience. Once you're satisfied with the results, you can start enforcing the policy.| -|Support for exporting and importing policies|SRP doesn't support policy import/export.|AppLocker supports the importing and exporting of policies. This support by AppLocker allows you to create AppLocker policy on a sample device, test it out and then export that policy and import it back into the desired GPO.| -|Rule enforcement|Internally, SRP rules enforcement happens in the user-mode, which is less secure.|Internally, AppLocker rules for .exe and .dll files are enforced in the kernel-mode, which is more secure than enforcing them in the user-mode.| diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md index aed93b7f33..ffefd947e7 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md @@ -1,31 +1,26 @@ --- title: Use the AppLocker Windows PowerShell cmdlets -description: This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. +description: This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/19/2023 --- # Use the AppLocker Windows PowerShell cmdlets ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. +This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. ## AppLocker Windows PowerShell cmdlets -The five AppLocker cmdlets are designed to streamline the administration of an AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the -Microsoft Management Console (MMC) snap-in extension to the Local Security Policy snap-in and Group Policy Management Console. +The five AppLocker cmdlets are designed to streamline the administration of an AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used along with the AppLocker user interface that is accessed through the Microsoft Management Console (MMC) snap-in extension to the Local Security Policy snap-in and Group Policy Management Console. -To edit or update a Group Policy Object (GPO) by using the AppLocker cmdlets, you must have Edit Setting permission. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. To perform tasks by using the -Local Security policy snap-in, you must be a member of the local **Administrators** group, or equivalent, on the computer. +To edit or update a Group Policy Object (GPO) by using the AppLocker cmdlets, you must have Edit Setting permission. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. To perform tasks by using the Local Security policy snap-in, you must be a member of the local **Administrators** group, or equivalent, on the computer. ### Retrieve application information The [Get-AppLockerFileInformation](/powershell/module/applocker/get-applockerfileinformation) cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. -File information from an event log may not contain all of these fields. Files that aren't signed don't have any publisher information. +File information from an event log might not contain all of these fields. Files that aren't signed don't have any publisher information. ### Set AppLocker policy @@ -37,8 +32,7 @@ The [Get-AppLockerPolicy](/powershell/module/applocker/get-applockerpolicy) cmdl ### Generate rules for a given user or group -The [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) cmdlet uses a list of file information to automatically generate rules for a given user or group. It can generate rules based on publisher, hash, or path information. Use **Get-AppLockerFileInformation** to create the -list of file information. +The [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) cmdlet uses a list of file information to automatically generate rules for a given user or group. It can generate rules based on publisher, hash, or path information. Use **Get-AppLockerFileInformation** to create the list of file information. ### Test the AppLocker Policy against a file set @@ -46,4 +40,4 @@ The [Test-AppLockerPolicy](/powershell/module/applocker/test-applockerpolicy) cm ## Other resources -- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). +- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md deleted file mode 100644 index e822da9f1b..0000000000 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -title: Use Software Restriction Policies and AppLocker policies -description: This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. -ms.localizationpriority: medium -ms.topic: conceptual -ms.date: 09/21/2017 ---- - -# Use Software Restriction Policies and AppLocker policies - ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. - -## Understand the difference between SRP and AppLocker - -You might want to deploy application control policies in Windows operating systems earlier than Windows Server 2008 R2 or Windows 7. You can use AppLocker policies only on the supported versions and editions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). However, you can use SRP on those supported editions of Windows plus Windows Server 2003 and Windows XP. To compare features and functions in SRP and AppLocker so that you can determine when to use each technology to meet your application control objectives, see [Determine your application control objectives](determine-your-application-control-objectives.md). - -## Use SRP and AppLocker in the same domain - -SRP and AppLocker use Group Policy for domain management. However, when policies are generated by SRP and AppLocker exist in the same domain, and they're applied through Group Policy, AppLocker policies take precedence over policies generated by SRP on computers that are running an operating system that supports AppLocker. For info about how inheritance in Group Policy applies to AppLocker policies and policies generated by SRP, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md). - ->**Important:** As a best practice, use separate Group Policy Objects to implement your SRP and AppLocker policies. To reduce troubleshooting issues, do not combine them in the same GPO. - -The following scenario provides an example of how each type of policy would affect a bank teller software app, where the app is deployed on different Windows desktop operating systems and managed by the Tellers GPO. - -| Operating system | Tellers GPO with AppLocker policy | Tellers GPO with SRP | Tellers GPO with AppLocker policy and SRP | -| - | - | - | - | -| Windows 10, Windows 8.1, Windows 8, and Windows 7 | AppLocker policies in the GPO are applied, and they supersede any local AppLocker policies.| Local AppLocker policies supersede policies generated by SRP that are applied through the GPO. | AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.| -| Windows Vista| AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP.AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.| -| Windows XP| AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.| - ->**Note:** For info about supported versions and editions of the Windows operating system, see [Requirements to use AppLocker](requirements-to-use-applocker.md). - -## Test and validate SRPs and AppLocker policies that are deployed in the same environment - -Because SRPs and AppLocker policies function differently, they shouldn't be implemented in the same GPO. This rule, when implemented, makes testing the result of the policy straightforward, which is critical to successfully controlling application usage in the organization. Configuring a testing and policy distribution system can help you understand the result of a policy. The effects of policies generated by SRP and AppLocker policies need to be tested separately and by using different tools. - -### Step 1: Test the effect of SRPs - -You can use the Group Policy Management Console (GPMC) or the Resultant Set of Policy (RSoP) snap-in to determine the effect of applying SRPs by using GPOs. - -### Step 2: Test the effect of AppLocker policies - -You can test AppLocker policies by using Windows PowerShell cmdlets. For info about investigating the result of a policy, see: - -- [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md) -- [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) - -Another method to use when determining the result of a policy is to set the enforcement mode to **Audit only**. When the policy is deployed, events will be written to the AppLocker logs as if the policy was enforced. For info about using the **Audit only** mode, see: - -- [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) -- [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) - -## See also - -- [AppLocker deployment guide](applocker-policies-deployment-guide.md)